09-05-2017 03:03 AM - edited 02-21-2020 06:16 AM
I'm looking through my ACP within FMC and I see the following under the Advanced Tab -
For the top option, what is best practise to set? This looks to me as if whatever is configured here will be processed before the actual ACP rules?
Is this right (and what is the point)?
Also, the bottom option, Default Network Analysis Policy - What exactly is this for? Just trying to understand why these need to be configured at all?
Thanks
10-08-2017 02:25 AM
Hello There,
What does intrusion poliocy before ACP do
The intrusion policy is used to initially inspect traffic before the system can determine exactly how to inspect that traffic.
Why it makes sense
Basically there are some part of packet which can be checked by this intrusion policy while the system checks other parameteres to decide which rule in ACP would be used. As even before access control policy is used, packet would be decoded, run through inline normalization (if enabled from NAP) , run through security intelligence and SSL decryption.
This is needed because sometimes the system must process the first few packets in a connection, allowing them to pass, before it can decide which access control rule (if any) will handle the trafficA default intrusion policy is especially useful when performing application control and URL filtering, because the system cannot identify applications or filter URLs before a connection is fully established between the client and the server.No Rules Active is the default intrusion policy for an access control policy where you first chose the Block all traffic or Network Discovery default action. Although choosing this option disables intrusion inspection on the allowed packets described above, it can improve performance if you are not interested in intrusion data.
In order to determine for example a Facebook application few first packets of stream have to be allow besides of action Block or Allow. The "Intrusion Policy used before Access Control Rule is determined" is use in order to inspect those first packets.
Assume situation that you added one rule which is blocking Facebook application and you do not have 'Intrusion Policy used before Access Control Rule is determined' configured (No Rules Present). In this scenario the few packet will be allowed (in order to determine Facebook application) but those few packets will be not inspected because you do not configured 'Intrusion Policy used before Access Control Rule is determined'.
What is network analysis policy (NAP)
For the Network analysis policy, this document should explain things in more detail.
Rate if helps.
Yogesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide